Why the U.S. Government is scaling their cyber visibility practices with Elastic


Amid a growing network of endpoints to support telework and cloud-based applications, US federal civilian agencies are protecting government resilience and resources with a new Continuous Diagnostics and Mitigation Dashboard (CDM Dashboard) built on the Elastic search platform.

At a recent MeriTalk Cyber Central: Defenders Unite event, participants learned about how Elastic, in partnership with ECS, enables security operations center (SOC) teams with cyber visibility at speed and scale.

Historically, the CDM Dashboard was used by civilian agency cyber executives to get a read on cyber-hygiene compliance. Today, the dashboard enables civilian agency SOC teams to view massive amounts of data from disparate systems, query data where it resides, and share vulnerability and mitigation insights. The sharing itself happens across the federal government and with the Cybersecurity and Infrastructure Security Agency (CISA).

Below are the key takeaways from the conversation:

Normalize data with a common schema

Using petabytes of cyber-monitoring data provided by federal agencies, the CDM Dashboard indexes structured, unstructured, and semi-structured cyber data into an Elastic common schema upon ingestion into the dashboard. This upfront data normalization from disparate systems across 102 civilian agencies makes data immediately actionable in Kibana, Elastic’s powerful visualization interface. By using Kibana, agencies can effortlessly identify and track anomalies at the host level.

Query data where it resides

In her remarks at the MeriTalk event, Joanna Dempsey, Director of Cyber Solutions at ECS, emphasized that one best practice that the CDM Dashboard program follows is querying data where it resides. This means that data doesn’t move unless it needs to. We keep data in place because moving it introduces unnecessary expenses, and moved data also becomes a rich target for adversaries looking for vulnerabilities that can arise when data is moved. Using Elastic’s cross cluster search, the CDM dashboard enables querying of data as close to the endpoint as possible. You could say that we bring the questions to the data.

Leverage bi-directional data sharing

The CDM Dashboard leverages the power of the cloud so that all users can benefit from one agency’s findings or from CISA’s full view of the macro environment. Of 102 civilian agencies, 41 are actively engaged with CISA and prioritize threat hunting based on dashboard data. The goal over the next five years is for all 102 civilian agencies to leverage the dashboard so that they can have a deeper understanding of endpoint health by leveraging common tools and syntax.

Pivot to response and recovery

When speaking at the MeriTalk event, Judy Baltensperger, Project Manager of the CDM Program with CISA, noted that the dashboard provides discovery well beyond the pre-built visualizations in Kibana. Tapping into Elastic Security tools, users can apply MITRE ATT&CK and community-based rules to build custom detections and alerts. Leveraging the CDM Dashboard to identify and detect threats lets agencies pivot to respond and recover through operationalized SIEM and EDR. The latter of which is a requirement of the Executive Order on Improving the Nation’s Cybersecurity.

Incorporate CDM Dashboard in agency plans

The CDM Dashboard provides a wealth of data for agency-security teams. We encourage all 102 civilian agencies to prioritize implementing the dashboard by bringing it into their SOCs. This way we can continue to standardize data from decentralized systems to reduce latency and automate detection at scale.

To get started, visit elastic.co/cdm-dashboard or get in touch directly at federal@elastic.co.